Operating System:

[WIN][UNIX/Linux]

Published:

20 November 2019

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2019.4389 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4389
       Security Bulletin: IBM Maximo Asset Management is vulnerable
                  to Privilege Escalation (CVE-2019-4530)
                             20 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Maximo Asset Management
Publisher:         IBM
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Delete Arbitrary Files -- Existing Account
                   Increased Privileges   -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4530  

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1108503

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Maximo Asset Management is vulnerable to Privilege Escalation
(CVE-2019-4530)

Security Bulletin

Summary

IBM Maximo Asset Management could allow an authenticated user to delete a
record that they should not normally be able to.

Vulnerability Details

CVEID: CVE-2019-4530
DESCRIPTION: IBM Maximo Asset Management could allow an authenticated user to
delete a record that they should not normally be able to.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

+---------------------------+----------+
|Affected Product(s)        |Version(s)|
+---------------------------+----------+
|IBM Maximo Asset Management|7.6.0     |
+---------------------------+----------+
|IBM Maximo Asset Management|7.6.1     |
+---------------------------+----------+
|IBM Maximo Asset Management|7.6.1.1   |
+---------------------------+----------+

Remediation/Fixes

Please refer to Workarounds and Mitigations

Workarounds and Mitigations

The MXAPIPWODETAIL object structure provides information on work order records
in Maximo. While work center users need access to read, insert, and save work
orders using this object structure, they do not need access to delete work
orders. The APAR fix removes the DELETE authorization for the MXAPIWODETAIL
object structure from the TECHNICIAN and SUPERVISOR templates.

While this fix ensures that incorrect access settings are not applied to any
future groups, it does not revoke the existing delete access that was
previously granted by the templates. You must remove access to the DELETE
authorization in the MXAPIWODETAIL object structure for all groups that are
linked to either the SUPERVISOR or TECHNICIAN templates.

To remove the existing delete access, perform the following steps for each
group that is linked to either the SUPERVISOR or TECHNICIAN templates:

1. Open the Security Groups application.
2. Find the group that is linked to either the SUPERVISOR or TECHNICIAN
templates and open it.
3. Click the Object Structures tab.
4. In the Object Structures table, find the MXAPIWODETAIL row and select it.
5. In the options table, uncheck the Grant Access check box for only the Delete
MXAPIWODETAIL option.
6. Save the record.

In versions of Maximo Asset Management prior to 7.6.1.2, you must also update
the TECHNICIAN and SUPERVISOR templates to remove the DELETE authorization for
the MXAPIWODETAIL object structure. However, you cannot modify out-of-the-box
templates by using the user interface. You must execute the following database
statement to remove the delete access:
delete from wctemplateauth where app = 'MXAPIWODETAIL' and workcenter in
('TECHNICIAN','SUPERVISOR') and template in ('TECHNICIAN','SUPERVISOR') and
optionname='DELETE';

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXdTDKWaOgq3Tt24GAQimnhAAjKaxgvbNi15xzjlNh+fkMwnDUtD1bIaf
JQrt2nQTh5eryN77sKejLvESJTw32crr1sWKDPTAyeLEPE4KyYf5qTuJFd0l9rjS
X5QwssGufGCAsnJr/8nAqv9iUMW7BuTmoNE9BjUMSMaM9WKaPvhf2xgO7kGH0c6m
h0qqe9qLhQXsAdFP2gDSRY0N1eirXCWQC74RFduBYc3EQAnV0NHyLREiQYrs2za8
pIc/XZ9XR0l64ziH5fhCFglE8RB/VAUMzZ+4bQYj3dhUt7wlZcjjb+mRGuXUpYsT
+Mu9BxKZCiU2aFg2ZvsFAt0zZydUixAA1kq1ud1Tx4RtCIEDxjnzmxclxCeGj37q
6dZTRPDKMhH+eEYIhdjqhWs56nIO3zm4GHx9JQp+0CWCayJvSGheB7l3/QCX9YhX
VVfgO4sFTCgumRjGi2DJlWE2TfGov6ioPLROZk+84YBpVUIPE1Ni67C15Bq8BqqR
kxYxP0dDS3yL8n44pwMg1nbBVHkPc3CXUkfDnH60gYXdQjBlZbEcGlGKrQT5lIas
Y1xrgTQiUOZM69LevmOn9yvCdZ7mISVmi3GnKBqEo6Oi33t2R9AF6JLmTNmxGdbg
qgrrz6/HXTYH60GOuyXAAjDuphsqyij/wklAg+u0N79qw30NW46EIVvHswGxpvmg
o4f0FInlJ4w=
=vQjQ
-----END PGP SIGNATURE-----